Manual Chapter : Attack signatures

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 16.0.0
Manual Chapter

Attack signatures

The attack signatures can be difficult to configure as there are a number of configuration items and values in different places that are confusing. Enable the attack signature violation, then configure which signature sets are to be enforced. Note that there are different ways to configure these sets and that might be some overlap when doing so. You can also enable or disable signatures individually.
In following example, attack signature violation is enabled and specified to enforce all signatures:
Block settings must not be empty.
{ "policy": { "name": "attack_sigs", "template": { "name": "POLICY_TEMPLATE_FUNDAMENTAL" }, "applicationLanguage": "utf-8", "enforcementMode": "blocking", "signature-sets": [ { "name": "All Signatures", "block": true, "alarm": true } ] } }
In following example, attack signature violation is enabled and specified to enforce only high accuracy signatures:
{ "policy": { "name": "attack_sigs", "template": { "name": "POLICY_TEMPLATE_FUNDAMENTAL" }, "applicationLanguage": "utf-8", "enforcementMode": "blocking", "signature-sets": [ { "name": "High Accuracy Signatures", "block": true, "alarm": true } ] } }
In following example, the signature ID 200001834 is excluded:
{ "policy": { "name": "signature_exclude", "template": { "name": "POLICY_TEMPLATE_FUNDAMENTAL" }, "applicationLanguage": "utf-8", "enforcementMode": "blocking", "signature-sets": [ { "name": "All Signatures", "block": true, "alarm": true, "learn": false } ], "signatures": [ { "signatureId": 200001834, "enabled": false } ] } }
In following example, policy is the same but a new section is added and the attack signatures to be modified are appended using the same signature ID 200001834:
{ "policy": { "name": "signature_modification_entitytype", "template": { "name": "POLICY_TEMPLATE_FUNDAMENTAL" }, "applicationLanguage": "utf-8", "enforcementMode": "blocking", "signature-sets": [ { "name": "All Signatures", "block": true, "alarm": true, "learn": false } ] }, "modifications": [ { "entityChanges": { "enabled": false }, "entity": { "signatureId": 200001834 }, "entityType": "signature", "action": "add-or-update" } ] }
The following is an example for multiple attack signatures, the signature IDs need to be added as separate entities under the modification list, each on its own, with only the signature ID updated:
"modifications": [ { "entityChanges": { "enabled": false }, "entity": { "signatureId": 200001834 }, "entityType": "signature", "action": "add-or-update" }, { "entityChanges": { "enabled": false }, "entity": { "signatureId": 200004461 }, "entityType": "signature", "action": "add-or-update" } ]